Point of sale terminal having enhanced security

ABSTRACT

A data entry device including a housing formed of at least two portions, data entry circuitry located within the housing, at least one case-open switch assembly operative to sense when the housing is opened and tamper indication circuitry operative to receive an input from the at least one case-open switch assembly and to provide an output indication of possible tampering with the data entry circuitry located within the housing. The at least one case-open switch assembly includes an arrangement of electrical contacts arranged on a base surface and a resiliently deformable conductive element, which defines a short circuit between at least some of the arrangement of electrical contacts only when the housing is closed.

This application is a continuation of U.S. patent application Ser. No.12/715,394, filed Mar. 2, 2010, entitled “POINT OF SALE TERMINAL HAVINGENHANCED SECURITY”, the contents of which are incorporated by reference.

REFERENCE TO RELATED APPLICATIONS

Reference is made to the following patent and patent applications, ownedby assignee, the disclosures of which are hereby incorporated byreference, which are believed to relate to subject matter related to thesubject matter of the present application:

U.S. Pat. No. 6,853,093; U.S. Published Patent Applications No.2007/0152042 and 2009/0184850; and U.S. patent application Ser. No.12/666,054.

FIELD OF THE INVENTION

The present invention relates generally to secure keypad devices andmore particularly to data entry devices having anti-tamperfunctionality.

BACKGROUND OF THE INVENTION

The following U.S. Patent Publications are believed to represent thecurrent state of the art and are hereby incorporated by reference:

U.S. Published Patent Application Nos. 2008/0278353 and 2007/0102272;

U.S. Pat. Nos. 7,270,275; 6,646,565; 6,917,299; 6,936,777; 6,563,488;5,559,311 and 4,486,637;

European Patent Nos.: 1421549 and 1676182;

Great Britain Patent Application No. GB8608277;

Japanese Patent Application No. JP2003100169;

French Patent Application No. 2911000; and

Published PCT Patent Application No. WO2009/091394.

SUMMARY OF THE INVENTION

The present invention seeks to provide improved secure keypad devices.

There is thus provided in accordance with a preferred embodiment of thepresent invention a data entry device including a housing formed of atleast two portions, data entry circuitry located within the housing, atleast one case-open switch assembly operative to sense when the housingis opened and tamper indication circuitry operative to receive an inputfrom the at least one case-open switch assembly and to provide an outputindication of possible tampering with the data entry circuitry locatedwithin the housing. The at least one case-open switch assembly includesan arrangement of electrical contacts arranged on a base surface and aresiliently deformable conductive element, which defines a short circuitbetween at least some of the arrangement of electrical contacts onlywhen the housing is closed. The resiliently deformable conductiveelement includes an at least partially continuous circumferential flangefixed at at least two locations thereat in electrical contact with atleast one of the electrical contacts at at least two correspondinglocations on the base surface, a circumferential portion having a crosssectional configuration which includes two mutually spaced arches, acentral portion disposed in a case-open operative orientation at a firstdistance from the base surface and a contact portion located interiorlyof the central portion and disposed in a case-open operative orientationat a second distance from the base surface, less than the firstdistance.

Preferably, the arches of the circumferential portion are at least at adistance from the base surface which exceeds the first distance.

In accordance with a preferred embodiment of the present invention thecentral portion is generally flat. Additionally or alternatively, thecontact portion is generally flat.

Preferably, the resiliently deformable conductive element defines ashort circuit between some, but not all, of the arrangement ofelectrical contacts when the housing is closed.

In accordance with a preferred embodiment of the present invention thearrangement of electrical contacts arranged on a base surface includesan outer ring, at least one intermediate ring and a central contact.Additionally, the at least one intermediate ring includes an outerintermediate ring and an inner intermediate ring.

Preferably, the outer intermediate ring is a continuous ring.Alternatively, the outer intermediate ring is divided into pluralelements.

In accordance with a preferred embodiment of the present invention thecentral portion of the resiliently deformable conductive elementcontacts the central contact when the housing is closed. Additionally,when the central portion of the resiliently deformable conductiveelement contacts the central contact, the outer intermediate ring isthereby electrically connected with the central contact.

Preferably, when the central portion of the resiliently deformableconductive element contacts the central contact, no part of theresiliently deformable conductive element is in electrical contact witheither the outer ring or the inner intermediate ring. Additionally, theouter ring and the inner intermediate ring are both coupled to a voltageVDD via a first resistor, the outer intermediate ring is grounded, andthe central contact is coupled to voltage VDD via a second resistor.

In accordance with a preferred embodiment of the present invention theinput to the tamper indication circuitry includes an indication ofwhether the deformable conductive element is simultaneously in contactwith both the central contact and the outer intermediate ring.Additionally or alternatively, the input to the tamper indicationcircuitry includes an indication of whether the inner intermediate ringis short circuited with at least one of the central contact and theouter intermediate ring. Alternatively or additionally, the input to thetamper indication circuitry includes an indication of whether the outerring is short circuited with the outer intermediate ring.

Preferably, a separation between the contact portion of the resilientlydeformable conductive element and the central contact is less than 0.1mm. Additionally or alternatively, a force required to establishelectrical contact between the contact portion of the resilientlydeformable conductive element and the central contact is approximately200 grams.

Preferably, the data entry device also includes an anti-tampering grid,formed of a multiplicity of interconnected anti-tampering electricalconductors in a circuit board associated with the tamper indicationcircuitry.

There is also provided in accordance with a preferred embodiment of thepresent invention a case-open switch assembly for a data entry deviceincluding a housing, the case-open switch assembly including anarrangement of electrical contacts arranged on a base surface and aresiliently deformable conductive element, which defines a short circuitbetween at least some of the arrangement of electrical contacts onlywhen the housing is closed. The resiliently deformable conductiveelement includes an at least partially continuous circumferential flangefixed at at least two locations thereat in electrical contact with atleast one of the electrical contacts at at least two correspondinglocations on the base surface, a circumferential portion having a crosssectional configuration which includes two mutually spaced arches, acentral portion disposed in a case-open operative orientation at a firstdistance from the base surface and a contact portion located interiorlyof the central portion and disposed in a case-open operative orientationat a second distance from the base surface, less than the firstdistance.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be understood and appreciated more fully fromthe following detailed description, taken in conjunction with thedrawings in which:

FIGS. 1A and 1B are simplified exploded view illustrations, taken inrespective opposite directions, of part of a secure keypad deviceconstructed and operative in accordance with a preferred embodiment ofthe present invention in a case open operative orientation;

FIG. 1C is a simplified illustration of the secure keypad device ofFIGS. 1A and 1B in a case closed operative orientation;

FIG. 2 is a simplified planar illustration of the interior of a portionof the housing of the secure keypad device illustrated in FIGS. 1A-1C;

FIGS. 3A & 3B are simplified planar illustrations, taken in respectiveopposite directions, of a keypad portion of the secure keypad deviceillustrated in FIGS. 1A-2;

FIGS. 4A & 4B are simplified planar illustrations, taken in respectiveopposite directions, of a case open switch forming part of the securekeypad device illustrated in FIGS. 1A-3B;

FIGS. 5A & 5B are simplified pictorial illustrations, taken inrespective opposite directions, of the case open switch of FIGS. 4A &4B;

FIGS. 6A & 6B are simplified sectional illustrations of the case openswitch of FIGS. 4A-5B in respective case closed and case open operativeorientations; and

FIG. 7 is a simplified sectional illustration, taken along lines VII-VIIin FIG. 1C, of a portion of the secure keypad device, including the caseopen switch in a case closed operative orientation.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention seeks to provide an improved security system forelectronic devices, especially tamper-protected point of sale terminalsand other devices containing sensitive information, such as personaldata and encryption keys. For the purposes of the present descriptionand claims, the term “point of sale terminals” includes, inter alia, PINpads, electronic cash registers, ATMs, card payment terminals and thelike.

The point of sale terminals preferably include a housing, an anti-tamperprotected enclosure located within the housing and adapted to containthe sensitive information, anti-tamper protection circuitry locatedwithin the anti-tamper protected enclosure and case open switcheselectrically coupled to the anti-tamper protection circuitry forprotecting against unauthorized access to the interior of theanti-tamper protected enclosure.

Preferably, a confidential data storage element is located within theanti-tamper protected enclosure. Additionally or alternatively a dataentry element is also mounted in the housing.

Preferably, the anti-tamper protection circuitry is operative, in theevent of unauthorized opening on the housing to perform at least one ofthe following actions: generate an alarm indication, disable the deviceand erase the sensitive data.

Reference is now made to FIGS. 1A-5B, which illustrate a secure keypaddevice constructed and operative in accordance with a preferredembodiment of the present invention.

As seen in FIGS. 1A-5B, there is provided a secure keypad device 100including a housing element 102 which, together with a back panel 103,defines a keypad device housing. Housing element 102 includes, on a topsurface 104 thereof, a display window 106, through which a display (notshown) may be viewed, and an array 108 of key apertures 110.

It is a particular feature of an embodiment of the present inventionthat the housing element 102 includes on an underside surface 112thereof a plurality of spaced case open switch actuation protrusions114.

A resilient key mat 116, preferably formed of a resilient plastic orrubber, defines a plurality of depressible keys 118, preferablyintegrally formed with the remainder of key mat 116, which partiallyextend through key apertures 110. Underlying each of keys 118 is a keyactuation protrusion 120. Disposed at multiple locations on key mat arecase open switch actuation responsive displaceable portions 122, eachincluding a top facing protrusion 124, which is engaged by acorresponding case open switch actuation protrusion 114, and a bottomfacing protrusion 126.

It is a particular feature of a preferred embodiment of the presentinvention that when the housing is closed, case open switch actuationprotrusions 114 engage corresponding protrusions 124 and causedisplacement of corresponding case open switch actuation responsivedisplaceable portions 122 in a direction indicated by an arrow 128.Opening of the housing retracts case open switch actuation protrusions114 from corresponding protrusions 124 and enables displacement ofcorresponding case open switch actuation responsive displaceableportions 122 in a direction opposite to that indicated by arrow 128 as aresult of resilience of the case open switch actuation responsivedisplaceable portions 122 and key mat 116.

Underlying key mat 116 is a light guide element 130 which includes anarray 132 of apertures 134 which accommodate key actuation protrusions120. It is a particular feature of a preferred embodiment of the presentinvention that light guide element 130 also includes a plurality ofapertures 136, which accommodate bottom facing protrusions 126 of caseopen switch actuation responsive displaceable portions 122.

Underlying light guide element 130 and preferably adhered to anunderside surface thereof is a key contact layer 140. Key contact layer140 preferably includes an array 142 of raised resilient conductivedomes 144, such as those commercially available from Snaptron, Inc. ofWindsor, Colo., USA. It is a particular feature of an embodiment of thepresent invention that key contact layer 140 also includes a pluralityof apertures 146 which accommodate bottom facing protrusions 126 of caseopen switch actuation responsive displaceable portions 122, particularlywhen displaced in the direction of arrow 128, when the housing isclosed.

An anti-tampering grid 150, formed of a multiplicity of interconnectedanti-tampering electrical conductors in a flexible printed circuit board(PCB) is optionally provided between the light guide element 130 and thekey contact layer 140.

Underlying key contact layer 140 is an electrical circuit board 160,which functions, inter alia, as a key contact pad board, defining aplurality of pairs of adjacent electrical contact pads 162, each pairunderlying a corresponding dome 144, preferably made of carbon, metal orcombination of carbon/metal. The arrangement of key contact layer 140and of electrical circuit board 160 is such that depression of a key 118by the finger of a user causes dome 144 to establish electrical contactwith and between a corresponding pair of electrical contact pads 162lying thereunder and in registration therewith. When key 118 is notdepressed, no electrical contact exists between dome 144 and a pair ofcorresponding electrical contact pads 162 or between the adjacent padsof the pair.

Electrical circuit board 160 preferably includes an anti-tampering grid164 formed of a multiplicity of interconnected anti-tampering electricalconductors. The anti-tampering grids 150 and 164 are coupled toanti-tampering detection circuitry 166.

In accordance with a preferred embodiment of the present invention,case-open switches, which sense physical tampering and opening of thehousing, are provided, each preferably including the followingstructure:

-   -   an arrangement of electrical contacts 170 arranged on a base        surface, preferably electrical circuit board 160, and    -   a resiliently deformable conductive element 172, which defines a        short circuit between at least some of said arrangement of        electrical contacts 170 only when said housing is closed.

The arrangement of electrical contacts 170 preferably includes an outerring 174, an optionally quartered outer intermediate ring 176, an innerintermediate ring 178, and a central contact 180. It is appreciated thatouter intermediate ring 176 may be a continuous ring or may be dividedinto any number of elements.

It is a particular feature of an embodiment of the present inventionthat the resiliently deformable conductive element 172 includes an atleast partially continuous circumferential flange 184 fixed at at leasttwo locations 186 thereat in electrical contact with at least twoquadrants of outer intermediate ring 176, a circumferential portion 188having a cross sectional configuration which includes two mutuallyspaced arches 190 (as seen in FIGS. 6A and 6B), a central portion 192disposed in a case-open operative orientation at a first distance fromthe base surface; and a contact portion 194 located interiorly of thecentral portion and disposed in a case-open operative orientation at asecond distance from the base surface, less than the first distance.

When the housing is opened by at least approximately 0.75 mm, one ormore of the plurality of spaced case open switch actuation protrusions114 is retracted from one or more corresponding top facing protrusions124 of one or more case open switch actuation responsive displaceableportions 122, whose resilience causes corresponding retraction of one ormore bottom facing protrusions 126, whose retraction reduces thepressure on one or more central portion 192 of one or more resilientlydeformable conductive elements 172. This results in at least one contactportion 194 becoming separated from a corresponding contact 180.

Reference is now made to FIGS. 6A and 6B, which are simplified sectionalillustrations of the case open switch of FIGS. 4A-5B in respective caseclosed and case open operative orientations, and to FIG. 7, which is adetailed sectional illustration of secure keypad device, including thecase open switch, in a case closed operative orientation. Forsimplicity, FIGS. 6A-7 do not include the optional anti-tampering grid150 (FIGS. 1A & 1B).

As seen generally in FIG. 7 and with greater specificity in FIG. 6A,when the housing is in a case closed operative orientation, case openswitch actuation protrusions 114 (FIGS. 1B & 2) engage correspondingprotrusions 124 (FIG. 1A) and cause displacement of corresponding caseopen switch actuation responsive displaceable portions 122 (FIGS. 1A &1B) in the direction indicated by arrow 128. As a result, bottom facingprotrusions 126 of case open switch actuation responsive displaceableportions 122 are in pressure contact with central portion 192 ofresiliently deformable conductive element 172.

This pressure contact displaces the central portion 192 downwardly inthe direction of arrow 128 such that contact portion 194 of resilientlydeformable conductive element 172 is in touching and electrical contactwith central contact 180, thus electrically connecting outerintermediate ring 176 with central contact 180. It is noted that due tothe particular configuration and construction of resiliently deformableconductive element 172, no part of resiliently deformable conductiveelement 172 is in electrical contact with either of rings 174 and 178.

As seen in FIG. 6A, outer ring 174 and inner intermediate ring 178 areboth coupled to a voltage VDD via a resistor R₁, outer intermediate ring176 is grounded and central contact 180 is coupled to voltage VDD via aresistor R₂. A voltage V₂ may be measured to indicate whether thehousing is open or closed, i.e. whether or not deformable conductiveelement 172 is simultaneously in contact with both central contact 180and outer intermediate ring 176. When deformable conductive element 172is simultaneously in contact with both central contact 180 and outerintermediate ring 176, V₂ is zero. Otherwise V₂ equals VDD.

An attempt to tamper with the case open switch by short circuitingcentral contact 180 and outer intermediate ring 176 will also shortcircuit inner intermediate ring 178 with contact 180 and/or outerintermediate ring 176 or short circuit outer ring 174 with outerintermediate ring 176 and may be detected by measuring a voltage V₁.During normal operation, where no tampering is detected, V₁ is equal toVDD. An attempt to tamper with the case open switch causes voltage V₁ tobe zero.

Anti-tampering circuitry 166 (FIG. 1B) preferably is operative tomeasure voltages V₁ and V₂ and to provide tampering alarms and responsesaccordingly. Optional anti tampering grids 150 and 164 may also becoupled to anti tampering circuitry 166.

Attempts to tamper with the case open switch, as by applying conductiveadhesive under resiliently deformable conductive element 172 orinsertion of a conductive element under resiliently deformableconductive element 172 may be made in order to establish an electricalconnection between ring 176 and contact 180 even when the housing isopen.

Such attempts to tamper can be expected to result in establishment of anelectrical connection between the resiliently deformable conductiveelement 172, rings 176 and central contact 180 on the one hand and atleast one of rings 174 and 178, thus producing an alarm.

It is a particular feature of the present invention that the requireddisplacement of resiliently deformable conductive element 172 alongarrow 128 into a case closed operative orientation is relatively small.This may be seen by reference to FIG. 6B, which indicates that theseparation between the contact portion 194 of resiliently deformableconductive element 172 and contact 180 in the direction indicated alongarrow 128 is preferably 0.06 mm. It is also seen in FIG. 6B that thedistance between the top of the circumferential portion 188 to thebottom of flange 184 is preferably 0.3 mm, the diameter of the centralportion 192 is preferably 3.7 mm and the diameter of the contact portion194 is preferably 0.50 mm. The overall diameter of the resilientlydeformable conductive element 172 is preferably 5.50 mm and the radialextent of flange 184 is 0.33 mm.

Additionally, circumferential flange 184 preferably is attached bysoldering thereof, at discrete locations 186 therealong, to outerintermediate ring 176 and the provision of circumferential portion 188having a cross sectional configuration which includes two mutuallyspaced arches 190 reduces the amount of force required to displacecontact portion 194 into electrical contact with contact 180. Preferablythe required force is about 200 grams.

Furthermore, the angular displacement of resiliently deformableconductive element 172 between case open and case closed operativeorientations is small, resulting in high reliability of reversion to acase open orientation when the housing is opened, even after having beenclosed for a long time.

The above features make attempts to tamper difficult.

It is appreciated by persons skilled in the art that the presentinvention is not limited by what has been particularly shown anddescribed hereinabove. Rather the scope of the present inventionincludes both combinations and subcombinations of various featuresdescribed hereinabove as well as variations and modifications theretowhich would occur to a person of skill in the art upon reading the abovedescription and which are not in the prior art.

The invention claimed is:
 1. A data entry device comprising: a housingformed of at least two portions; data entry circuitry located withinsaid housing; at least one case-open switch assembly operative to sensewhen said housing is opened; and tamper indication circuitry operativeto receive an input from said at least one case-open switch assembly andto provide an output indication of possible tampering with said dataentry circuitry located within said housing, said at least one case-openswitch assembly including: an arrangement of electrical contactsarranged on a base surface, said arrangement of electrical contactsincluding an outer ring contact, at least one intermediate ring contact,and a central contact, at least one of said outer ring contact and saidat least one intermediate ring contact being an anti-tampering contactand being coupled to said tamper indication circuitry; and a resilientlydeformable conductive element, which defines a short circuit betweensaid central contact and said at least one intermediate ring contactonly when said housing is closed, said resiliently deformable conductiveelement comprising: an at least partially continuous circumferentialflange fixed in electrical contact with said at least one intermediatering contact; a circumferential portion having a cross sectionalconfiguration which includes two mutually spaced arches; a centralportion disposed in a case-open operative orientation at a firstdistance from said base surface; and a contact portion locatedinteriorly of said central portion and disposed in a case-open operativeorientation at a second distance from said base surface, less than saidfirst distance, and in a non-case open operative orientation touchingsaid central contact.
 2. The data entry device according to claim 1 andwherein said arches of said circumferential portion are at least at adistance from said base surface which exceeds said first distance. 3.The data entry device according to claim 1 and wherein said centralportion is generally flat.
 4. The data entry device according to claim 1and wherein said contact portion is generally flat.
 5. The data entrydevice according to claim 1 and wherein said at least one intermediatering contact includes at least one outer intermediate ring contact andan inner intermediate ring contact.
 6. The data entry device accordingto claim 5 and wherein said input to said tamper indication circuitryincludes an indication of whether said inner intermediate ring contactis short circuited with at least one of said central contact and said atleast one intermediate ring contact.
 7. The data entry device accordingto claim 5 and wherein said at least one outer intermediate ring contactcomprises at least two outer intermediate ring contacts.
 8. The dataentry device according to claim 1 and wherein said contact portion ofsaid resiliently deformable conductive element contacts said centralcontact when said housing is closed.
 9. The data entry device accordingto claim 8 and wherein when said contact portion of said resilientlydeformable conductive element contacts said central contact, said atleast one intermediate ring contact is thereby electrically connectedwith said central contact.
 10. The data entry device according to claim1 and wherein said input to said tamper indication circuitry includes anindication of whether said deformable conductive element issimultaneously in contact with both said central contact and said atleast one intermediate ring contact.
 11. The data entry device accordingto claim 1 and wherein a separation between said contact portion of saidresiliently deformable conductive element and said central contact isless than 0.1 mm.
 12. The data entry device according to claim 1 andwherein a force required to establish electrical contact between saidcontact portion of said resiliently deformable conductive element andsaid central contact is approximately 200 grams.
 13. The data entrydevice according to claim 1 and wherein said at least one intermediatering contact comprises at least two intermediate ring contacts.
 14. Acase-open switch assembly for use with a two part housing, said two parthousing having at least an open state and a closed state, the case-openswitch assembly comprising: an arrangement of electrical contactsarranged on a base surface in said housing, said arrangement ofelectrical contacts including an outer ring contact, at least oneintermediate ring contact, and a central contact, at least one of saidouter ring contact and said at least one intermediate ring contact beingan anti-tampering contact; and a resiliently deformable conductiveelement, which defines a short circuit between said central contact andsaid at least one intermediate ring contact only when said housing isclosed, said resiliently deformable conductive element comprising: an atleast partially continuous circumferential flange fixed in electricalcontact with said at least one intermediate ring contact; acircumferential portion having a cross sectional configuration whichincludes two mutually spaced arches; a central portion disposed in acase-open operative orientation at a first distance from said basesurface; and a contact portion located interiorly of said centralportion and disposed in a case-open operative orientation at a seconddistance from said base surface, less than said first distance, and in anon-case open operative orientation touching said central contact. 15.The case-open switch assembly according to claim 14 and wherein said atleast one intermediate ring contact comprises an inner intermediate ringcontact and at least one outer intermediate ring contact.
 16. Thecase-open switch assembly according to claim 15 and wherein said atleast one outer intermediate ring contact comprises at least two outerintermediate ring contacts.
 17. The case-open switch assembly accordingto claim 14 and wherein said at least one intermediate ring contactcomprises at least two intermediate ring contacts.
 18. The case-openswitch assembly according to claim 14 and wherein said arches of saidcircumferential portion are at least at a distance from said basesurface which exceeds said first distance.
 19. The case-open switchassembly according to claim 14 and wherein said central portion isgenerally flat.